Security News > 2022 > February > Hackers Exploiting Infected Android Devices to Register Disposable Accounts

An analysis of SMS phone-verified account services has led to the discovery of a rogue platform built atop a botnet involving thousands of infected Android phones, once again underscoring the flaws with relying on SMS for account validation.

SMS PVA services, since gain prevalence in 2018, provide users with alternative mobile numbers that can be used to register for other online services and platforms, and help bypass SMS-based authentication and single sign-on mechanisms put in place to verify new accounts.

With online portals often authenticating new accounts by cross-checking the location of the users against their phone numbers during registration, SMS PVA services get around this restriction by making use of residential proxies and VPNs to connect to the desired platform.

What's more, these services only sell the one-time confirmation codes needed at the time of account registration, with the botnet operator using the army of compromised devices to receive, examine, and report the SMS verification codes without the owners' knowledge and consent.

"The presence of SMS PVA services makes another dent on the integrity of SMS verification as the primary means of account validation," the researchers said.

"The scale to which SMS PVA is able to supply mobile numbers means that the usual methods to ensure validity - such as blocklisting mobile numbers previously tied to account abuse or identifying numbers belonging to VoIP services or SMS gateways - won't be enough."

News URL

https://thehackernews.com/2022/02/hackers-exploit-bug-in-sms-verification.html